1 /*
2 * Copyright (c) 2022 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "permission_helper.h"
17
18 #include "ipc_skeleton.h"
19 #include "tokenid_kit.h"
20
21 #include "mmi_log.h"
22 #include "proto.h"
23
24 #undef MMI_LOG_DOMAIN
25 #define MMI_LOG_DOMAIN MMI_LOG_SERVER
26 #undef MMI_LOG_TAG
27 #define MMI_LOG_TAG "PermissionHelper"
28
29 namespace OHOS {
30 namespace MMI {
VerifySystemApp()31 bool PermissionHelper::VerifySystemApp()
32 {
33 MMI_HILOGD("verify system App");
34 auto callerToken = IPCSkeleton::GetCallingTokenID();
35 auto tokenType = OHOS::Security::AccessToken::AccessTokenKit::GetTokenTypeFlag(callerToken);
36 MMI_HILOGD("token type is %{public}d", static_cast<int32_t>(tokenType));
37 if (tokenType == OHOS::Security::AccessToken::ATokenTypeEnum::TOKEN_NATIVE
38 || tokenType == OHOS::Security::AccessToken::ATokenTypeEnum::TOKEN_SHELL) {
39 MMI_HILOGD("called tokenType is native, verify success");
40 return true;
41 }
42 uint64_t accessTokenIdEx = IPCSkeleton::GetCallingFullTokenID();
43 if (!OHOS::Security::AccessToken::TokenIdKit::IsSystemAppByFullTokenID(accessTokenIdEx)) {
44 MMI_HILOGE("system api is called by non-system app");
45 return false;
46 }
47 return true;
48 }
49
CheckPermission(uint32_t required)50 bool PermissionHelper::CheckPermission(uint32_t required)
51 {
52 CALL_DEBUG_ENTER;
53 auto tokenId = IPCSkeleton::GetCallingTokenID();
54 auto tokenType = OHOS::Security::AccessToken::AccessTokenKit::GetTokenTypeFlag(tokenId);
55 if (tokenType == OHOS::Security::AccessToken::TOKEN_HAP) {
56 return CheckHapPermission(tokenId, required);
57 } else if (tokenType == OHOS::Security::AccessToken::TOKEN_NATIVE) {
58 MMI_HILOGD("Token type is native");
59 return true;
60 } else if (tokenType == OHOS::Security::AccessToken::TOKEN_SHELL) {
61 MMI_HILOGI("Token type is shell");
62 return true;
63 } else {
64 MMI_HILOGE("Unsupported token type:%{public}d", tokenType);
65 return false;
66 }
67 }
68
CheckMonitor()69 bool PermissionHelper::CheckMonitor()
70 {
71 CALL_DEBUG_ENTER;
72 std::string monitorPermissionCode = "ohos.permission.INPUT_MONITORING";
73 return CheckHapPermission(monitorPermissionCode);
74 }
75
CheckInterceptor()76 bool PermissionHelper::CheckInterceptor()
77 {
78 CALL_DEBUG_ENTER;
79 std::string interceptorPermissionCode = "ohos.permission.INTERCEPT_INPUT_EVENT";
80 return CheckHapPermission(interceptorPermissionCode);
81 }
82
CheckHapPermission(uint32_t tokenId,uint32_t required)83 bool PermissionHelper::CheckHapPermission(uint32_t tokenId, uint32_t required)
84 {
85 OHOS::Security::AccessToken::HapTokenInfo findInfo;
86 if (OHOS::Security::AccessToken::AccessTokenKit::GetHapTokenInfo(tokenId, findInfo) != 0) {
87 MMI_HILOGE("GetHapTokenInfo failed");
88 return false;
89 }
90 if (!((1 << findInfo.apl) & required)) {
91 MMI_HILOGE("Check hap permission failed, name:%{public}s, apl:%{public}d, required:%{public}d",
92 findInfo.bundleName.c_str(), findInfo.apl, required);
93 return false;
94 }
95 MMI_HILOGD("Check hap permission success");
96 return true;
97 }
98
CheckInjectPermission()99 bool PermissionHelper::CheckInjectPermission()
100 {
101 auto tokenId = IPCSkeleton::GetCallingTokenID();
102 auto tokenType = OHOS::Security::AccessToken::AccessTokenKit::GetTokenTypeFlag(tokenId);
103 MMI_HILOGD("Token type is %{public}d", static_cast<int32_t>(tokenType));
104 if (tokenType == OHOS::Security::AccessToken::ATokenTypeEnum::TOKEN_SHELL) {
105 MMI_HILOGD("called tokenType is shell, verify success");
106 return true;
107 }
108 std::string injectPermissionCode = "ohos.permission.INJECT_INPUT_EVENT";
109 int32_t ret = OHOS::Security::AccessToken::AccessTokenKit::VerifyAccessToken(tokenId, injectPermissionCode);
110 if (ret != OHOS::Security::AccessToken::PERMISSION_GRANTED) {
111 MMI_HILOGE("Check Permission: %{public}s fail for appId:%{public}d, and ret:%{public}d",
112 injectPermissionCode.c_str(), tokenId, ret);
113 return false;
114 }
115 MMI_HILOGD("Check permission( %{public}s) permission success", injectPermissionCode.c_str());
116 return true;
117 }
118
119
CheckInfraredEmmit()120 bool PermissionHelper::CheckInfraredEmmit()
121 {
122 CALL_DEBUG_ENTER;
123 std::string infraredEmmitPermissionCode = "ohos.permission.MANAGE_INPUT_INFRARED_EMITTER";
124 return CheckHapPermission(infraredEmmitPermissionCode);
125 }
126
CheckAuthorize()127 bool PermissionHelper::CheckAuthorize()
128 {
129 CALL_DEBUG_ENTER;
130 std::string injectPermissionCode = "ohos.permission.INJECT_INPUT_EVENT";
131 return CheckHapPermission(injectPermissionCode);
132 }
133
CheckHapPermission(const std::string permissionCode)134 bool PermissionHelper::CheckHapPermission(const std::string permissionCode)
135 {
136 CALL_DEBUG_ENTER;
137 auto tokenId = IPCSkeleton::GetCallingTokenID();
138 auto tokenType = OHOS::Security::AccessToken::AccessTokenKit::GetTokenTypeFlag(tokenId);
139 if ((tokenType == OHOS::Security::AccessToken::TOKEN_HAP) ||
140 (tokenType == OHOS::Security::AccessToken::TOKEN_NATIVE)) {
141 int32_t ret = OHOS::Security::AccessToken::AccessTokenKit::VerifyAccessToken(tokenId, permissionCode);
142 if (ret != OHOS::Security::AccessToken::PERMISSION_GRANTED) {
143 MMI_HILOGE("Check permission failed ret:%{public}d permission:%{public}s", ret, permissionCode.c_str());
144 return false;
145 }
146 MMI_HILOGD("Check interceptor permission success permission:%{public}s", permissionCode.c_str());
147 return true;
148 } else if (tokenType == OHOS::Security::AccessToken::TOKEN_SHELL) {
149 MMI_HILOGI("Token type is shell");
150 return true;
151 } else {
152 MMI_HILOGE("Unsupported token type:%{public}d", tokenType);
153 return false;
154 }
155 }
156
CheckHapPermission(uint32_t tokenId,const std::string permissionCode)157 bool PermissionHelper::CheckHapPermission(uint32_t tokenId, const std::string permissionCode)
158 {
159 CALL_DEBUG_ENTER;
160 auto tokenType = OHOS::Security::AccessToken::AccessTokenKit::GetTokenTypeFlag(tokenId);
161 if ((tokenType == OHOS::Security::AccessToken::TOKEN_HAP) ||
162 (tokenType == OHOS::Security::AccessToken::TOKEN_NATIVE)) {
163 } else if (tokenType == OHOS::Security::AccessToken::TOKEN_SHELL) {
164 MMI_HILOGI("Token type is shell");
165 return true;
166 } else {
167 MMI_HILOGE("Unsupported token type:%{public}d", tokenType);
168 return false;
169 }
170 std::string context = "For CheckPerm. PermiCode" + permissionCode + ";appId:" + std::to_string(tokenId);
171 int32_t ret = OHOS::Security::AccessToken::AccessTokenKit::VerifyAccessToken(tokenId, permissionCode);
172 if (ret != OHOS::Security::AccessToken::PERMISSION_GRANTED) {
173 MMI_HILOGE("Check Permi: %{public}s fail for appId:%{public}d, and ret:%{public}d",
174 permissionCode.c_str(), tokenId, ret);
175 return false;
176 }
177 MMI_HILOGD("Check permission( %{public}s) permission success", permissionCode.c_str());
178 return true;
179 }
180
CheckDispatchControl()181 bool PermissionHelper::CheckDispatchControl()
182 {
183 CALL_DEBUG_ENTER;
184 std::string inputDispatchControl = "ohos.permission.INPUT_CONTROL_DISPATCHING";
185 return CheckHapPermission(inputDispatchControl);
186 }
187
GetTokenType()188 int32_t PermissionHelper::GetTokenType()
189 {
190 CALL_DEBUG_ENTER;
191 auto tokenId = IPCSkeleton::GetCallingTokenID();
192 auto tokenType = OHOS::Security::AccessToken::AccessTokenKit::GetTokenTypeFlag(tokenId);
193 if (tokenType == OHOS::Security::AccessToken::TOKEN_HAP) {
194 uint64_t accessTokenIdEx = IPCSkeleton::GetCallingFullTokenID();
195 if (OHOS::Security::AccessToken::TokenIdKit::IsSystemAppByFullTokenID(accessTokenIdEx)) {
196 return TokenType::TOKEN_SYSTEM_HAP;
197 }
198 return TokenType::TOKEN_HAP;
199 } else if (tokenType == OHOS::Security::AccessToken::TOKEN_NATIVE) {
200 return TokenType::TOKEN_NATIVE;
201 } else if (tokenType == OHOS::Security::AccessToken::TOKEN_SHELL) {
202 return TokenType::TOKEN_SHELL;
203 } else {
204 MMI_HILOGW("Unsupported token type:%{public}d", tokenType);
205 return TokenType::TOKEN_INVALID;
206 }
207 }
208
RequestFromShell()209 bool PermissionHelper::RequestFromShell()
210 {
211 CALL_DEBUG_ENTER;
212 auto tokenId = IPCSkeleton::GetCallingTokenID();
213 auto tokenType = OHOS::Security::AccessToken::AccessTokenKit::GetTokenTypeFlag(tokenId);
214 MMI_HILOGD("Token type is %{public}d", static_cast<int32_t>(tokenType));
215 return tokenType == OHOS::Security::AccessToken::ATokenTypeEnum::TOKEN_SHELL;
216 }
217
CheckMouseCursor()218 bool PermissionHelper::CheckMouseCursor()
219 {
220 CALL_DEBUG_ENTER;
221 std::string mousePermissionCode = "ohos.permission.MANAGE_MOUSE_CURSOR";
222 return CheckHapPermission(mousePermissionCode);
223 }
224
CheckInputEventFilter()225 bool PermissionHelper::CheckInputEventFilter()
226 {
227 CALL_DEBUG_ENTER;
228 std::string filterPermissionCode = "ohos.permission.FILTER_INPUT_EVENT";
229 return CheckHapPermission(filterPermissionCode);
230 }
231 } // namespace MMI
232 } // namespace OHOS
233